Restore topic to revision:
You will be able to review the topic before saving it to a new revision
Copy text and form data to a new topic (no attachments will be copied though).
Name of copy: Allow non WikiWord name You will be able to review the copied topic before savingRename/move topic...
scans links in all public webs(recommended)Rename/move topic...
scans links in CBI_ComputerSecurity web only
Delete topic...
scans links in all public webs(recommended)Delete topic...
scans links in CBI_ComputerSecurity web only

[X] Hide this message. Notice: On June 30, 2016, UMWiki service will be decommissioned. If you have information in UMWIki that needs to be preserved, you should make plans to move it before that date. Google Sites is anticipated to be the most popular and appropriate alternative for users because it offers a more modern and user-friendly interface and unlimited capacity. To learn more about the features of Google Sites and other alternatives, and to identify which one best fits your needs, see the Universitys Website Solution Selection Guide. If you have concerns or would like help regarding this change and your options, please contact Technology Help at help@umn.edu

Morris Worm

The Morris worm was released onto the Internet the evening of November 2, 1988, causing serious damage to the network. The worm was developed and released by Robert T. Morris, Jr., a graduate student at Cornell University. The damage was estimated between $100,000 and $97 million, and Morris was subsequently convicted of violating the Federal Computer Fraud and Abuse Act of 1986 (text), for which he received a fine of $10,000, a suspended three-year jail sentence, and 400 hours of community service.(1)

The primary damage caused by the worm was due to computing resource exhaustion. The worm was designed to check whether a target host was already infected so that duplicate copies were not created on the same host, but due to a flaw in the code many copies were created on each machine, causing a serious downgrade in performance as the worms used more and more computing resources. The worm caused secondary damage when system administrators began disconnecting their machines from the Internet in an effort to either avoid spreading the infection or to avoid the infection in the first place. Accordingly, the disconnection of so many systems disrupted research and business relying on network connections. In total, an estimated 6,000 installations had to either shut down or disconnect from the Internet. Some machines were disconnected for several days. As in the case of the SQL Slammer worm of 2003, the Morris worm did not cause as much damage as it might have if it contained code instructing it to delete or encrypt files on its hosts.(2)

The Morris worm exploited several weaknesses in the software of Sun Microsystems Sun 3 systems and VAX machines running 4 BSD versions of UNIX. The Morris worm infected these machines, and no others. The weaknesses included buffer overflows in fingerd, a debugging command in sendmail, and weaknesses in password encryption. Finger is a common utility to give network users information on other users, and fingerd is a daemon that runs as a background process. The worm established a connection to fingerd and then passed it a "specially constructed string of 536 bytes" that overran its buffer, overwriting the return address for the main routine. On a return from the main routine, control was transferred instead to code that had been written into the buffer in the previous step. The code that was actually executed (execve("/bin/sh", 0, 0)) resulted in the worm connecting to a remote shell via a TCP connection (on VAXs), beginning another round of infection, and a simple core dump on Sun machines. Sendmail, too, runs in the background as a daemon and normally has adequate security protections. However, the version of Sendmail available at the time could be configured to allow systems connecting to it to issue a DEBUG command that could run arbitrary shell commands on the Sendmail host, intended to allow administrators to monitor the state of sending mail messages. This useful and powerful feature was often left enabled by vendors and system administrators to facilitate troubleshooting of the highly complex and site-specific configuration required by Sendmail. The worm sent a DEBUG command to sendmail that permitted the worm to directly issue a set of system commands. The Morris worm also exploited weaknesses in the Unix password scheme at the time, which placed encrypted passwords of each and every user in a publicly accessible file.(3) Even though the encrypted passwords could not easily be decrypted themselves, attackers could compile and then encrypt lists of likely passwords from system dictionaries and other sources; these lists of encrypted passwords were then compared with the publicly accessible encrypted passwords until a match appears (user names were also publicly accessible in unencrypted form).(4) While all of the specific vulnerabilities exploited by the Morris Worm were quickly addressed, buffer overflows and remote command execution remain some of the most common vectors for computer security exploits, and although encrypted passwords are now hidden from public view, users, then and now, frequently choose short, simple, and easily guessed passwords.(5)

The Morris worm had a tremendous impact on the Internet community, mostly composed of academics and researchers at the time. The flaws in the Unix system that had allowed the worm to spread were fixed, and system administrators began to look for ways to boost security. The worm was released at about the same time that Clifford Stoll reported on his investigation of the "Cuckoo's Egg" hacker. The combination of events led the computing community to the conclusion that better organization was needed for dealing with malicious and non-malicious code flaws. One of the results was the formation of the Computer Emergency Response Team (CERT) at Carnegie Mellon University and other such centers that allowed system administrators to exchange information on problems and solutions.(6)

3: Robert Morris and Ken Thompson, "Password Security: A Case History" Communications of the ACM 22 no. 11 (Nov. 1979): 594-97. The co-author is the father of the Robert T. Morris, Jr., who authored the Morris worm.

5: Morris and Thompson [1979] compiled a list of 3200 passwords, of which 15 were a single ASCII character, 72 were two ASCII characters, 464 were three characters, and so on, with fully 86% of passwords in this sample falling into easily specified and hence guessable categories. In our own time, the most common password for several years running has been "123456" with such variants as "12345," "12345678," "123456789," and "1234" also remarkably popular, along with "password" and "qwerty".